I'm reading RFC 5155, and I'm a bit puzzled by the requirement for "closest encloser" proofs to prove nonexistence of a domain. Given that the RFC requires generating NSEC3 records on empty non-terminals, isn't it sufficient to examine a single NSEC3 record to prove nonexistence?
For example, if I want to prove the nonexistence of a.b.c.example, isn't it sufficient to validate an NSEC3 record that covers that name and is one level higher (eg, somehash.b.c.example)? Why do I need to prove the closest-encloser with a second NSEC3 record? -Nick Johnson
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
